diff --git a/cli/packages/cmd/bootstrap.go b/cli/packages/cmd/bootstrap.go index 5f6e6d0473..e6c46a2a26 100644 --- a/cli/packages/cmd/bootstrap.go +++ b/cli/packages/cmd/bootstrap.go @@ -43,7 +43,7 @@ func handleK8SecretOutput(bootstrapResponse api.BootstrapInstanceResponse, k8Sec // Parse and execute the template to render only the data/stringData section tmpl, err := template.New("k8-secret-template").Funcs(template.FuncMap{ - "b64enc": func(s string) string { + "encodeBase64": func(s string) string { return base64.StdEncoding.EncodeToString([]byte(s)) }, }).Parse(k8SecretTemplate) @@ -291,8 +291,8 @@ func init() { bootstrapCmd.Flags().String("organization", "", "The name of the organization to create for the instance") bootstrapCmd.Flags().String("output", "", "The type of output to use for the bootstrap command (json or k8-secret)") bootstrapCmd.Flags().Bool("ignore-if-bootstrapped", false, "Whether to continue on error if the instance has already been bootstrapped") - bootstrapCmd.Flags().String("k8-secret-template", "", "The template to use for rendering the Kubernetes secret (entire secret JSON)") - bootstrapCmd.Flags().String("k8-secret-namespace", "", "The namespace to use for the Kubernetes secret") + bootstrapCmd.Flags().String("k8-secret-template", "{\"data\":{\"token\":\"{{.Identity.Credentials.Token | encodeBase64}}\"}}", "The template to use for rendering the Kubernetes secret (entire secret JSON)") + bootstrapCmd.Flags().String("k8-secret-namespace", "", "The namespace to create the Kubernetes secret in") bootstrapCmd.Flags().String("k8-secret-name", "", "The name of the Kubernetes secret to create") rootCmd.AddCommand(bootstrapCmd) } diff --git a/docs/cli/commands/bootstrap.mdx b/docs/cli/commands/bootstrap.mdx index 156cfabb8f..0a7a2791c2 100644 --- a/docs/cli/commands/bootstrap.mdx +++ b/docs/cli/commands/bootstrap.mdx @@ -104,7 +104,7 @@ When using `k8-secret`, the command will create or update a Kubernetes secret di ```bash # Example template that stores the token -infisical bootstrap --k8-secret-template='{"data":{"token":"{{.Identity.Credentials.Token | b64enc}}"}}' +infisical bootstrap --k8-secret-template='{"data":{"token":"{{.Identity.Credentials.Token | encodeBase64}}"}}' # Example template with multiple fields infisical bootstrap --k8-secret-template='{"stringData":{"token":"{{.Identity.Credentials.Token}}","org-id":"{{.Organization.ID}}","user-email":"{{.User.Email}}"}}' @@ -112,7 +112,7 @@ infisical bootstrap --k8-secret-template='{"stringData":{"token":"{{.Identity.Cr Available template functions: -- `b64enc`: Base64 encode a string +- `encodeBase64`: Base64 encode a string Available data fields: @@ -189,7 +189,7 @@ The command returns a JSON response with details about the created user, organiz ### Kubernetes Secret Output -When using `--output=k8-secret`, the command creates or updates a Kubernetes secret in your cluster and logs the operation result. +When using `--output=k8-secret`, the command creates or updates a Kubernetes secret in your cluster and logs the operation result. This is particularly useful for automated bootstrapping scenarios such as Kubernetes Jobs, GitOps workflows, or when you need to immediately store the admin credentials for use by other applications in your cluster. ## Kubernetes Integration diff --git a/docs/self-hosting/guides/automated-bootstrapping.mdx b/docs/self-hosting/guides/automated-bootstrapping.mdx index b4b77d5c18..05b8989ed6 100644 --- a/docs/self-hosting/guides/automated-bootstrapping.mdx +++ b/docs/self-hosting/guides/automated-bootstrapping.mdx @@ -70,6 +70,8 @@ You can bootstrap an Infisical instance using either the API or the CLI. When deploying Infisical using the official Helm chart, you can enable automatic bootstrapping that runs as part of the deployment process. This eliminates the need to manually bootstrap the instance after deployment. +The bootstrapping process automatically generates a Kubernetes secret containing the instance admin token, which can then be referenced by Crossplane providers, Terraform operators, or other automation systems for further infrastructure provisioning and configuration. + ### Configuration Enable auto bootstrapping in your Helm values by setting `autoBootstrap.enabled: true` and providing the necessary configuration: @@ -78,7 +80,7 @@ Enable auto bootstrapping in your Helm values by setting `autoBootstrap.enabled: autoBootstrap: enabled: true organization: "My Organization" - secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token | b64enc}}"}}' + secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token | encodeBase64}}"}}' secretDestination: name: "infisical-bootstrap-secret" @@ -122,7 +124,7 @@ The `secretTemplate` field allows you to customize the data section of the creat - `{{ .User.FirstName }}`: The admin user first name - `{{ .User.LastName }}`: The admin user last name -The template also supports the `b64enc` function for base64 encoding values. +The template also supports the `encodeBase64` function for base64 encoding values. Example template for storing multiple values: @@ -130,9 +132,9 @@ Example template for storing multiple values: secretTemplate: | { "data": { - "infisical_token": "{{ .Identity.Credentials.Token | b64enc }}", - "admin_email": "{{ .User.Email | b64enc }}", - "organization": "{{ .Organization.Name | b64enc }}" + "infisical_token": "{{ .Identity.Credentials.Token | encodeBase64 }}", + "admin_email": "{{ .User.Email | encodeBase64 }}", + "organization": "{{ .Organization.Name | encodeBase64 }}" } } ``` diff --git a/helm-charts/infisical-standalone-postgres/values.yaml b/helm-charts/infisical-standalone-postgres/values.yaml index 2d5f12abcc..9a4d691634 100644 --- a/helm-charts/infisical-standalone-postgres/values.yaml +++ b/helm-charts/infisical-standalone-postgres/values.yaml @@ -21,8 +21,8 @@ infisical: # -- Infisical Infisical CLI image tag version tag: "0.41.86" - # -- Template for the data/stringData section of the Kubernetes secret. Available functions: b64enc - secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token | b64enc}}"}}' + # -- Template for the data/stringData section of the Kubernetes secret. Available functions: encodeBase64 + secretTemplate: '{"data":{"token":"{{.Identity.Credentials.Token | encodeBase64}}"}}' secretDestination: # -- Name of the bootstrap secret to create in the Kubernetes cluster which will store the formatted root identity credentials